janiussyafiq opened a new pull request, #13570:
URL: https://github.com/apache/apisix/pull/13570

   ### Description
   
   This PR adds a new plugin, **`ai-lakera-guard`**, that integrates APISIX 
with the [Lakera Guard v2 `/guard` API](https://docs.lakera.ai/) to perform 
ML-based security scanning of LLM **requests** at the gateway — prompt 
injection / jailbreak, PII leakage, content-policy violations, and malicious / 
unknown links — so each backend LLM service no longer has to implement its own 
guardrails.
   
   This is **PR-1 (input guard MVP)** of a planned, independently shippable 
series (input → output → streaming → observability), modeled closely on 
`ai-aliyun-content-moderation`.
   
   #### How it works
   
   - Runs in the `access` phase at priority **1028**, just below `ai-proxy` 
(1040) and `ai-proxy-multi` (1041), so the AI context is already populated. The 
plugin **requires** one of those proxies and returns `500` otherwise.
   - Extracts the whole request conversation via `apisix.plugins.ai-protocols` 
(no role distinction) and sends it to Lakera `POST /v2/guard`.
   - On a flagged verdict it applies the configured `action`:
     - **`block`** (default) — returns a **provider-compatible** deny response 
(a valid chat-completion, or SSE for streaming requests) carrying 
`request_failure_message`, built via `proto.build_deny_response`, so client 
SDKs render the refusal as a normal completion. The status is `deny_code` 
(default `200`; set a 4xx to surface blocks as HTTP errors).
     - **`alert`** — log-only shadow mode; traffic passes through.
   - Lakera errors / timeouts are governed by `fail_open` (fail-**closed** by 
default).
   - `api_key` is secret-managed via `encrypt_fields` + native `$secret://` / 
`$env://` resolution.
   - `reveal_failure_categories` optionally appends the matched detectors to 
the deny message; every flagged verdict logs Lakera's full per-detector 
breakdown and `request_uuid`.
   
   #### Configuration
   
   `api_key` is the only required field. Others: `lakera_endpoint`, 
`project_id`, `direction` (`input` only in this PR), `action`, `fail_open`, 
`timeout`, `ssl_verify`, `reveal_failure_categories`, `deny_code`, 
`request_failure_message`.
   
   #### Files
   
   - Plugin: `apisix/plugins/ai-lakera-guard.lua`, 
`apisix/plugins/ai-lakera-guard/schema.lua`, 
`apisix/plugins/ai-lakera-guard/client.lua`
   - Registration: `apisix/cli/config.lua`, `conf/config.yaml.example`
   - Docs: `docs/en/latest/plugins/ai-lakera-guard.md`, 
`docs/en/latest/config.json`
   - Tests: `t/plugin/ai-lakera-guard.t`, `t/plugin/ai-lakera-guard-secrets.t`, 
fixtures under `t/fixtures/lakera/`
   
   #### Which issue(s) this PR fixes:
   
   Part of #13291
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible (new, opt-in 
plugin disabled by default; additive registration only)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to